Re: How to remove events that have the same field ...

SplunkTrend · ‎02-04-2016

Basically, what I do is extracting the first 3 characters of the host field and show it in a separate field called Place. Now what I want to show is just records having different values in the same event and not show those records that have same value. Any help is appreciated. Thank you.

| stats list(host) AS host, list(Place) AS place by ip

IP               host          place
10.10.20.30      dalerf01      dal
                 dalerf02      dal

30.60.40.50      houl548       hou
                 grfd548       grf

somesoni2 · ‎02-04-2016

Try something like this

your base search which gives host, Place, ip | dedup ip Place  | stats list(host) AS host, list(Place) AS place by ip

renjith_nair · ‎02-04-2016

Try

| stats values(host) AS host, values(Place) AS place by ip

OR

Try dedup command

your search |dedup IP host place

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to remove events that have the same field value in the result?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

How to remove events that have the same field value in the result?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!